For all the grief Microsoft Corp. takes about having buggy software, a
new study shows the Mozilla Foundation’s Firefox actually had nearly
twice as many reported vulnerabilities as Internet Explorer in a
six-month span.
Does that make Explorer a safer browser to use?
Not necessarily, say security analysts. It just means IT administrators
and users need to be on alert no matter what browser they’re using.
”I can’t say that Internet Explorer is more secure than Firefox, but it
highlights the fact that no matter which browser you’re using, they have
vulnerabilities and it doesn’t matter if they’re open source or
proprietary,” says Gordon Haff, an analyst at Illuminata, an industry
analyst firm based in Nashua, N.H. ”You have to keep everything
up-to-date.”
Symantec’s Internet Security Threat Report, a twice annual analysis of
Internet security activity, shows that between January and June of this
year, Mozilla’s browser had 25 reported vulnerabilities — 18, or 72 percent, were
critical. In the same time period, Microsoft’s Internet Explorer had 13
reported vulnerabilities — eight, or 62 percent, were critical.
Patrick Martin, senior manager for security response at Symantec Corp.,
says Mozilla’s numbers from the first half of this year, actually were an
improvement over the second half of 2004, when it had 31 reported
vulnerabilities. Internet Explorer also is doing better, since it had 30
in that same time frame. Mozilla has produced more than one browser, but Firefox is far and away it’s most popular browser and the one mainly being measured in the study.
Martin says the report has ”raised a few eyebrows” since Firefox, an
open source browser, frequently is thought of as the safer alternative to
Internet Explorer. Firefox has picked up a strong number of new users in
the last year with many people looking to switch away from Microsoft’s
browser.
Apples and Oranges
Ken van Wyk, principal consultant for KRvW Associates, LLC and a
columnist for eSecurityPlanet, says many people may now suspect Internet
Explorer is a safer browser to use, but they should be careful about
comparing apples and oranges.
”The Mozilla code is out there. Anybody can look at it,” says van Wyk,
who is a Firefox user and plans to stay that way. ”Microsoft source code
is proprietary. It’s not available for public scrutiny. You’re comparing
based on two very different sets of inputs.
”Firefox is a newer product that has been out in the open source space
for a relatively short period of time,” he adds. ”It hasn’t been
exposed to public scrutiny for all that long. It’s not surprising to find
that many bugs in a product so new. It’s disappointing though.”
Ken Dunham, a senior engineer for VeriSign iDefense Intelligence based in
Mountain View, Calif., says it also comes down to how many virus writers
are attacking an application. Firefox has been relatively safe from
attack, whereas Internet Explorer has taken more than its share of hits.
”If you look at the numbers, who gets attacked? Internet Explorer users,
and especially IE users who are not patched,” says Dunham. ”I can say
that Firefox has fewer exploits to date and offers security through
obscurity. That might change in the future. There’s just not near as many
attacks, but the reality is it has a number of vulnerabilities that can
be exploited.”
Dunham, like the other analysts interviewed, says it comes down to being
vigilant no matter what browser you’re using.
”There’s no magic bullet,” says Dunham. ”If you’re on the Internet,
there are ways to be hit. Firefox offers security through obscurity.
There has only been one malicious code to date for Firefox-related
exploits. And there are hundreds for IE. People say, ‘I use Firefox so I
don’t get viruses.’ But this just shows that there is no magic bullet.”